FAQ

View Less -

Q: How exactly does Computer Forensics work?

A: What does a forensic computer examiner do? They will take several careful steps to identify and extract all relevant data that is resident on a subject’s computer system. Forensic analysis will extract the data that can be viewed by the operating system, as well as data that is invisible to the operating system. Proper forensic protocol will:

Protect the evidence during the forensic examination from any possible alteration, damage, data corruption, or virus introduction. A write-blocking device should be used at the time the computer is acquired to ensure that the evidence is not damaged, tainted or is in any other way rendered inadmissible in court.

Use forensically sound protocols at all times during the investigation to ensure that the information on the computer is admissible in court. Assume that every case/situation could end up in the legal system. If your Computer and Digital Forensics Examiner doesn’t make that assumption, find someone else. A true Forensic Examiner will implement write-blocking techniques, MD5 hash values and establish a Chain of Custody.

Address the legal issues at hand in dealing with Electronic Evidence, such as relevant case law, how to navigate the discovery process, protection of privilege and in general, working/communication with attorneys and other professionals.

Recover all deleted files and other data not yet overwritten. As a computer is used, the operating system is constantly writing data to the hard drive. From time to time, the operating system will save new data on a hard drive by overwriting data resident on the drive but no longer needed by the operating system. A deleted file, for example, will remain resident on a hard drive until the operating system overwrites all or some of the file. Thus, in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten. Fortunately, the costs of acquisition are very reasonable, and the process is not disruptive. Click for our Spoliation Letter.

Analyze all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as 'slack' space in a file (the unused space at the end of a file, in the last assigned disk cluster, that may be a possible site for previously created and relevant evidence).

Prepare a computer forensics report of the computer system, as well as provide you a copy of all relevant data, parsed in a format and arranged to be integrated into your legal theories and strategies. In an appropriate case, the forensic analysis will also opine regarding the system layout, file structures, attempts to hide, delete, protect, encrypt information and anything else that has been discovered and is relevant to the matter.

Provide Expert consultation and/or testimony, as necessary. Many times attorneys are disappointed with the quality of expert testimony. A good computer forensic company will have trained its experts to appear in court to support motion practice, discovery disputes, and at trial.

+

Q: How do I explain Computer Forensics to my client?

A: Computer forensics and investigations is the process of preserving and analyzing all data on a computer whether or not it is visible to the operating system or user.

+

Q: How do I know if I have a good Computer Forensics Examiner?

A: Attorneys have unique needs when using computer forensic analysis. They must rely upon an expert to extract relevant data using procedures and protocol that permit the data to be admitted in court; while also relying upon the same expert to help identify and resolve issues related to rules of procedure, litigation strategy, and the theory and law of the case. The former requirement focuses upon computer technology, the latter upon legal training and trial experience.
Good computer forensics companies will have merged computer technology and trial experience. In regard to computer technology, a good computer forensic company will use sound procedures to ensure that all relevant information is admissible in court. It will be able to explain those procedures in an intelligent, compelling manner before judges and juries. A forensic computer expert will be able to explain the technological issues and strategies to you in such a way that you will be comfortable explaining them to your opponent, or to a judge in motion practice. As to legal and trial issues, a good computer forensic company will be able to help you anticipate the procedural objections and strategies that you may encounter using computer forensics, provide you the case law support for the protocols you wish to use, suggest procedures that satisfy federal and state court rules, and recognize information relevant to your legal theories, strategies and claims.
Before engaging a forensic company be sure to ask the following questions……

What is the experience level of the forensic computer examiner?

How long have they been in the industry?

Have they ever testified in court?

Have they been admitted as an expert witness?

How many cases have they worked?

What relevant education and training do they have?

What professional organizations are they affiliated with?

What standards and protocols have they employed to ensure the evidence is not tainted?

What software do they use?

Do they rely on a single piece of software or do they have an arsenal of tools to use as appropriate?

Do they have the proper licensing of the software they are using?

Is their software proprietary and if it is proprietary, has it been accepted in the court system? If not, you may have an uphill battle just getting the evidence admitted.

Do they have in-house, full time attorneys working on the cases?

Are the attorneys trained in the forensic analysis of computers?

What is the experience level of the attorneys, including trial experience?

Have the attorneys been admitted as expert witness?

All of these questions are important in determining the skill level and expertise of the computer forensic company. More importantly, these questions are important to judge the degree to which the company will be able to help you in the real world of trial litigation.

+

Q: If I think that evidence exists, is it ok if my Technology expert takes a look for the information before I get in touch with a Computer Forensics Expert?

A: Most in-house technology experts are concerned with mission critical data and recovery from catastrophic data loss. They are not experts in the acquisition and preservation of data rendered invisible to the operating system. Even the most well intentioned technology expert can damage the fragile information that is stored on a computer, especially when the operating system does not recognize the data. The simple act of turning the computer on or looking through files can potentially damage the very data you're looking for. Dates can be changed, files overwritten and evidence can be corrupted.
Additionally, using in-house personnel can raise issues related to authentication that can increase the cost of admitting evidence. In-house personnel may be put through a Daubert-Frye challenge that could threaten the admissibility of critical evidence. If there is a remote chance that the matter could end up in court, best practices strongly suggests having the data analyzed by computer forensic investigators. The cost of computer forensic service will almost always be far less than the cost of defeating a challenge to the admission of critical evidence.

+

Q: Isn't Computer Forensics only useful in cases where you expect that there is a "smoking gun"?

A: Computer forensic analyses are useful in cases whenever the computers have been used either to commit a crime or tort, or used to created, modify, or store data that can be used as evidence. Many times an attorney will suspect that there ought to be an email, a letter, or some other, singular, "smoking gun" that will prove his case or destroy his opponent's legal theory. Often, however, the "smoking gun" is not one single document, but rather, an aggregate of documents and artifacts. Artifacts tell the certified computer forensics examiner how the computer was used; while documents, fragments, hidden data, and deleted data can be extracted, compiled, and presented as evidence in a case.

+

Q: When should I consider using Computer Forensics?

A: A good rule of thumb is to use Computer Forensics as a tool to (1) determine the facts from your client, (2) discharge your duty to avoid spoliation, (3) obtain all relevant evidence from the opposing party in a manner similar to using a Request for Production of Documents, and (4) determine whether computers were used as the instrumentality of a tort or crime.
Computer forensics software can help determine facts from client. An attorney must have all the information relevant to a matter, not only to construct effective legal strategies, but also to focus your client’s expectations, and efficiently price your forensic computer services. There is nothing more difficult to address than a case that has become complicated by new facts, where you client expected the matter to proceed smoothly and without significant cost. Knowing all the facts early in a matter, allows you to better prepare your client for those cases that will require significant legal expertise to manage.
Discharge Duty to Preserve Evidence. In response to pending litigation, analyzing your client’s relevant computers is an excellent way to discharge your duties to preserve evidence and avoid spoliation, while also acquiring all relevant information essential to your legal theories and strategies. Similarly, as part of critical business decisions, forensically analyzing relevant computers can provide essential information. For example, analyzing the computers of corporate officers or employees as part of the termination process can alert you to possible litigation issues such as violation of non-compete agreements, improper copying of intellectual property, etc.
In Lieu of Request for Production of Documents. In litigation, an attorney ought to determine whether a Request for Production of Documents will obtain all relevant evidence. You might simply ask yourself whether you want to discover part of the relevant information (i.e. that seen by your opponent’s operating system) or all of it (deleted, hidden, orphaned data, etc). It is not unrealistic to anticipate that information contained on a computer system that is helpful to a matter would be saved, while that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is not unusual to discover deleted emails and other data invisible to the operating system that significantly affects the case. Computer forensic analysis extracts all the emails, memos, and data that can be viewed with the operating system, as well as all invisible data. In many cases, the invisible data completely changes the nature of a claim or defense, leading to early settlement and avoidance of surprises during litigation.
Computers as Instrumentality of Crime or Tort. In any situation in which one or more computers may have been used in an inappropriate manner, it is essential to call a forensic expert. Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the "tracks" left behind by inappropriate use. Taking the wrong steps in these circumstances can irretrievably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.

+

Q: What does a Forensic Analysis cost and will it disrupt my business?

A: In the past, Computer Forensic Examinations could run tens of thousands of dollars because of the manpower necessary to thoroughly examine a hard-drive. With the advancement of technology in the Computer Forensics arena that is no longer the case. The software and hardware available now make the price of Computer Forensics affordable and well worth the investment. The prices can range from $200 an hour to $450 an hour and the process involves basically three steps: Acquisition, Searching, and Reporting. Acquisitions usually cost less than $600. Searching and Reporting, of course, depend on the nature of your case. In most instances, searching and reporting can be completed for less than $3500. The initial analysis is usually less than $4500.
There is no reason that forensic data analysis needs to disrupt any business. Making a "clone" of a computer system for electronic evidence retrieval (even if several computers are involved) can be done during non-business hours, at night, or over a weekend. In many cases, the clone is acquired in less than 5 or 6 hours.

+

Q: What is "Ghosting" an image and why isn't that good enough?

A: Ghost is a software application created by Symantec. Ghost is very good for creating an image of a computer that includes only those files and data visible to the operating system and the user. Ghost does claim to have settings allowing it to make an image of all data. However, Ghost has not been tested and verified through peer review to determine its worthiness in creating a forensic image. Furthermore, Ghost does not have a method for verifying whether the data that it does acquire is accurate and has not change. Vestige uses a tool called Encase which has not only been peer reviewed but also has been tested by NIST (National Institute of Standards and Technology). It maintains a unique signature of the image which it can use to compare at any point in time in order to verify the authenticity of the image.

+

Q: What is an "Acquisition"?

A: Acquiring the computer image and authenticating the data are the initial steps in a Computer Forensics examination. The Acquisition of a computer or other digital media is done using specialized software and write-blocking devices which ensure that an exact copy of the digital evidence is made. Acquisitions can be done wherever and whenever is convenient and non-disruptive. Many times acquisitions are performed at night or on weekends, either on-site or at the law offices of counsel. In some situations, acquisitions can also be completed in the home or office.
An acquired image of the subject computer is then authenticated by forensic software which creates and embeds in the image a digital finger print. This "finger print" is called an MD5 hash and is a numeric code that represents all the information on the computer. If one single bit is changed on the computer the MD5 hash value will not match. This ensures that the Computer Forensic Examiner has not changed the data and replication of the MD5 is admissible in court.
The sooner the acquisition is done the more likely the chance to find the evidence you are looking for. So, if you suspect you might have a problem now or in the future you can have the computer drive acquired and have the image preserved indefinitely. Acquisition costs are very reasonable, making this strategy a feasible method to prepare for potential litigation.

+

Q: What is Computer Forensics?

A: Computer forensics is the scientific and strategic examination and analysis of recovered electronic data. This data resides on any type of computer storage media in such a way that the information can be used as evidence in a court of law. Using highly specialized software, a computer forensics investigator can use digital analysis to "unlock" every bit of data on electronic media. All data that has been deleted, hidden, or otherwise rendered invisible and imperceptible to the operating system can be uncovered.

+

Q: What risks are there if I don’t consult a Computer Forensics expert at the start of a problem?

A: The most frustrating aspect of forensic analysis is that the operating system randomly overwrites data on the hard drive. This means that the longer a computer is used, the more likely it is that evidence will be lost, even to a computer forensic specialist. Fortunately, the operating system frequently records evidence in several places simultaneously. So if the data is overwritten in one area, it may still reside in another. It is impossible to tell, however, whether the data that is most important to you will survive the constant use of the computer. Indeed, the simple act of turning the computer on or looking through files can potentially damage the very data you’re looking for. The dates that files were created can be changed, files can be overwritten and evidence can be corrupted. The safest practice is to have a computer forensic company acquire an image of the computer as soon as possible; however, it may be possible to find relevant data even after years of use.

+

Q: What standards should Computer Forensics Examiners follow and why is that important?

A: A Computer Forensics Examiner should follow forensically sound investigative standards. All cases should be treated as if they will result in litigation. If even the slightest misstep occurs your evidence could be thrown out of court. The Department of Justice and The International Association of Computer Investigative Specialists both have basic standards to follow to ensure that the evidence that is acquired will hold up in court. The guiding principles behind these computer forensics standards are as follows:
A. Document the receipt and handling of all evidence. This means that each and every piece of evidence should be examined on site and photographed if necessary. Documentation of the physical examination of digital evidence including irregularities and numbering of the evidence. Documentation of all the individuals who had access to the evidence. Documentation for the release of evidence to the examiner. Documentation of the evidence inventory and chain of custody.
B. Date and time of the computer should be recorded preferably from the BIOS set-up.
C. Conduction of searches on the original media should be avoided. The data should be acquired using industry accepted software combined with the use of write-blocking devices. Analysis of the media should be done on an exact copy of the computer hard drive and should be authenticated prior to analysis.
D. When creating the duplicate copy of the computer hard drive properly prepared media should be used by the examiner to ensure that no co-mingling of data occurs. The storage media used by the examiner should be sanitized and void of any other electronic data.
E. Analysis of the data should be done systematically and following the legal parameters of the case. The investigation should start with a collaborative meeting with the client and attorney to determine the search terms and guidelines.
F. At the conclusion of the examination proper documentation should be produced detailing standard procedures used, a list of evidence found, the search parameters, etc.

+

Q: What types of cases is Computer Forensics useful in?

A: Any case in which you file a Request for Production of Documents, or request all relevant documents from your client, is a case that will benefit from the efficiencies and scope of Computer Forensic Application. Computer Forensics will quickly obtain for you all the relevant evidence, not just the evidence that your opponent or client has determined is sufficient and responsive to your request.

+

Q: Why can't my client perform computer forensics themselves?

A: Your client should reach out to companies specializing in computer forensics because they have a vested interest in finding information that would support their case. Vestige is an impartial third party. Also, the cost of the applications and software for data analysis we use to preserve and analyze data as well as the training would cost your client more money to acquire than it would to retain us.

+

Legal FAQs

View Less -

Q: As an attorney, am I at risk of professional liability if I don't recommend the use of computer forensics?

A: If relevant information is found on the computer after the case has closed and you did not recommend Computer Forensics at the start of the case you could be found negligent. Given that Computer Forensics is not cost prohibitive, follows all the traditional discovery protocol, is not obtrusive to the operations of business and can find visible and invisible documents it is a potential tool in each and every case. Don’t fall into this trap, consider the use of Computer Forensics experts from our digital forensics company in any case which could end up in court.

+

Q: How do you prevent the release of information from being considered a waiver of client-attorney privilege?

A: The use of forensic IT services for comprehensive computer forensics data recovery does not circumvent traditional Rules of Discovery. Privileged information will still be redacted from the Initial Findings Report. The searches will be done according to agreed upon key terms and will not extend beyond the established parameters.

+

Q: How do I prevent the opposition from continuing to use the computer and potentially damaging the evidence?

A: In our resources section Vestige has sample spoliation letters which will inform the opposition of their duty to preserve all evidence including all data on the computer that they are using to prevent any forensic fraud. Vestige’s legal group will walk you through the process of customizing a letter to fit your specific needs so that you are successful in ensuring preservation of electronic records.

+

Q: How does Vestige prevent "fishing expeditions" or overly-broad searches?

A: Vestige has years of experience in performing computer forensics services. From our experience, we can determine which searches will be too broad and therefore pointless and which ones will find the information you are looking for, should it exist. Furthermore, Vestige has the skills to refine searches so that if a search becomes too broad but is necessary, we can narrow down the parameters to still achieve the results you are looking for.

+

Q: What about protecting the attorney client privilege?

A: When performing a computer forensic examination, Vestige always turns over data we find to the producing party allowing them to redact anything that may be considered client confidential information. We then turn over the resulting data to the opposing side. This process occurs regardless of whether we are analyzing your client's data or the opposing side’s data. When retained by you, the attorney, Vestige is acting as an agent for you and is therefore bound by the client attorney relationship including the protecting of attorney client privileged information.

+

Q: What is "Non-Adversarial Discovery"?

A: Vestige's job is to work with our client to determine the strategy of a case and uncover the information that is pertinent. We may also be called to testify how the data got on the computer and what that data means. Either way, Vestige is only testifying to whatever facts are uncovered off of the computer. Our opinion is in no way tainted by who hires us. We have many times been retained by both sides in a case to uncover all facts relating to the case and have done so in a complete and accurate way.

+

Q: What is the benefit of using Computer Forensics in Electronic Discovery versus traditional "paper" discovery?

A: Unlike paper evidence, computer evidence can often exist in many forms, with earlier versions still being accessible on a computer. With 90% of office correspondence never being printed there is a lot of material that could potentially be missed if you’re only looking for traditional documents. With the use of Vestige's data recovery service this "hidden" digital information can be unlocked.

+

Q: What is the difference between Computer Forensics and Electronic Discovery?

A: Electronic Discovery of data is an extension of RULE 26(a)(1) of the Federal Rules of Civil Procedure which governs the disclosure of "all documents, data compilations and tangible things" subject to discovery in litigation. Electronic Digital Discovery is primarily an organization tool, allowing the user to process, locate, recall, and parse large amounts of data using powerful electronic searching and indexing tools. Considering that more than 90% of all documents and communications are produced digitally, and many of these items are never printed to paper media, Electronic Digital Discovery is a very powerful tool.
Electronic Digital Discovery is not an investigative or analytic tool. It is limited for example, to organizing and retrieving only that portion of the information on a computer that everyone can see, access, and copy. If data that supports your legal theory or strategy has been deleted, hidden, or otherwise rendered invisible to the computer’s operating system, you won’t find that information using Electronic Discovery.
Computer forensic analysis, on the other hand, is an inclusive analytic tool that identifies, extracts, preserves, and searches both the visible and the "invisible" information on a computer. With the use of computer forensics investigation and analysis you can find, compile, and parse all the evidence. This includes evidence comprising deleted files, unallocated space, slack space, hidden files, and encrypted files. Once all the evidence has been located, extracted, compiled, and parsed, it can be inserted into common Electronic Discovery tools and integrated into a case. Thus, Computer Forensics is a powerful engine that enhances the Electronic Discovery process because Computer Forensic analysis gives you all the information Electronic Discovery can provide plus a whole lot more.

+

Q: Why can't my law firm or I offer this service for our clients?

A: There are three reasons why you, as a law firm, might run into issues when offering this service to your client. The first reason has to do with client confidential information. In the course of searching a hard drive, an analyst may come across information that is considered client confidential. At Vestige, we always give the producing party the information we find first in order to let them redact any client confidential information. Second, being your client’s attorney, you have a vested interest in finding anything to support your client’s case. That could open the door for challenges from the opposing side that you were not examining the data with a clear conscious, especially if you are working on contingency. While Vestige is hired by you, we do not work on contingency and our reputation is based on giving an unbiased report on what we find on the computer. We have a vested interest to do a thorough job and not let anything cloud our report.
Vestige's staff of computer technicians are comprised of experts in the computer forensics field and attorneys, this gives us the edge in uncovering the legal and technical aspects of any case. Furthermore, we use tools that are geared towards forensic analysis and have a wealth of information to pool from.